This post originally appeared on the CohesiveFT blog

The Docker subsystem available since version 3.5 allows additional virtualized network functions (VNFs) to be run on VNS3. I’ve previously written about using this capability for content caching, SSL termination and load balancing. This time I’ll cover using it as a network intrusion detection system (NIDS).

Introducing Suricata

The archetypal NIDS system for Linux is Snort. Suricata is the newer alternative developed by the Open Information Security Foundation. It’s multi threaded, to make it more scalable, has improved protocol and file identification, and is somewhat easier to install and configure (though that’s taken care of with a Dockerfile anyway).

The demo application

For a little while I’ve used an application based on Nginx, Sinatra and MySQL to demo VNS3. It’s gratuitously three tier, but it’s a good way of showing off the various moving parts of an overlay network. The app implements a simple web based todo list with persistence to the database

Getting the traffic into the NIDS

Firstly I uploaded my suricata-demo Dockerfile to VNS3 to become a container image, then I allocated a container from it, which was given the first available IP of 198.51.100.2. Getting traffic off the overlay and into the container just needs an entry like this in the firewall:

# copy all traffic from the overlay network to the NIDS container
MACRO_CUST -j COPY --from tun0 --to 198.51.100.2 --bidirectional

Whilst I’m there it’s also worth putting in the rules so that I can connect to the container over SSH (in order to see detection in action):

# enable NAT to allow containers to talk to the outside world
-o eth0 -s 198.51.100.0/28 -j MASQUERADE
# forward port 2222 from the VNS3 manager to port 22 on the container
PREROUTING_CUST -i eth0 -p tcp -s 0.0.0.0/0 --dport 2222 -j DNAT --to 198.51.100.2:22

Application specific rules

A nice thing about application centric networks is that they can have application specific rules for intrusion detection – there’s no need to have a kitchen sink list of rules to catch every possible attack that would apply to an entire enterprise network.
For demo purposes I have a single rule that detects Mastercard numbers:

alert tcp any any  any any (pcre:"/5\d{3}(\s|-)?\d{4}(\s|-)?\d{4}(\s|-)?\d{4}/"; msg:"MasterCard number detected in clear text";sid:9000001;rev:1;)

This rule is looking for the pattern 5XXX-XXXX-XXXX-XXXX where each X is a digit and each – could be a dash, a space, or nothing. It’s not doing any validation that the numbers are valid Mastercard numbers, it’s just picking up the pattern of something that looks like a Mastercard number
When this triggers (by putting a Mastercard number into the todo list) an alert can be seen in Suricata’s fast.log file e.g.:

07/22/2014-19:51:20.753227  [**] [1:9000001:1] MasterCard number detected in clear text [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.56.111:4567 ->; 10.0.6.50:37589

Try it for yourself

The full cohesiveft/suricata image is available on Docker Hub (and Github). It uses Oinkmaster to pull a full set of rules from Emerging Threats.

The cut single rule down demo version cohesiveft/suricata-demo described above is also available on Docker Hub (and Github).

Whether you start out with a full rule set, and cut out the stuff that causes too much noise, or come at it the other way to build up a rule set to address specific concerns – the choice is yours.